> On Apr 18, 2018, at 10:43 AM, Andy Polyakov <ap...@openssl.org> wrote: > > It can either be a probe just to see if it's reasonable to demand it, or > establish a precedent that they can refer to saying "it was always like > that, *your* application is broken, not ours." Also note that formally > speaking you can't blame them for demanding it. But you can blame them > for demanding it wrong. I mean they shouldn't try to communicate through > OU of self-signed certificate, but by terminating connection with > missing_extension alert, should they?
What I can blame them for is being counter-productively pedantic. Forget the RFC language, does what they're doing make sense and improve security or is it just a pointless downgrade justified by RFC text lawyering? -- Viktor. _______________________________________________ openssl-project mailing list openssl-project@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-project